architecture-patterns
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's configuration includes the
Bashtool in itsallowed-toolslist. While the instructions advise the agent to use only read-only commands and avoid file modifications, the availability of the tool provides a technical capability for command execution that could be exploited. - [PROMPT_INJECTION]: The skill processes external codebase content using
Read,Grep, andGlobtools, creating a surface for indirect prompt injection where malicious instructions in a project's source code could attempt to influence the agent. Ingestion points: The skill reads codebase files via theRead,Grep, andGlobtools mentioned inSKILL.md. Boundary markers: The skill lacks explicit delimiters or instructions for the agent to ignore instructions embedded within the data it analyzes, relying solely on natural language notes to remain read-only. Capability inventory: TheBashshell tool is available for use. Sanitization: There is no mention of sanitizing, validating, or filtering the content retrieved from the codebase before processing it.
Audit Metadata